FTP connection tracking module
Tue, 23 Oct 2001 14:20:13 +0200
On Tue, Oct 23, 2001 at 01:57:58AM +0200, Ceache wrote:
> I'm using netfilter on my personnal lan at home and I'm greatly satisfied
> with it.
> But, I miss a feature and I was thinking about implementing it. But first,
> since I am an *ok* (I think ;p) programmer in C but I have never touched
> anything like the linux kernel/modules nor firewalling solutions, I would
> like some advice.
> My idea is that, right now FTP conntrack is only listenning on port 21 (a
> simple test against htons(21)).
> I would like to change that so that netfilter at best detects FTP trafics
> automaticly or at least that there are some /proc trics to had some ports.
What do you think ist the following part of ip_conntrack_ftp.c for? ;)
#define MAX_PORTS 8
static int ports[MAX_PORTS];
static int ports_c;
MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
You have module load time parameters for specifying alternate ftp ports.
There have been long-time plans to make them runtime-changeable via sysctl(),
but it never got implemented. If you want to do this, feel free to do so.
> I would ten times prefer the first behavior. I look into it and one of the
> idea I thought of was to use dsniff type of mecanisism to guess the
> protocol. Then creating a prerouting target that would mark packets
> depending on protocols. (in my opinion, this sound like something really
> neat for routing/filtering/QoS etc... than just rules based on port matching).
> But now I'm facing some problems :
It's way too expensive. Up to which bandwidth do you think you can do
a couple of protocol detections on each packet?
I don't think that this is possible in any realistic scenario, sorry.
> I would really greatly appriciate anytime of comment about it (you can tell
> me if you think I'm crazy ;P)
> P.S. I'm french and, well, I'm sorry if my english sounds weird or if I
> can't speel properly.
;) no problem. Most of the people here are no native english speakers. I'm
german, for example.
> Charles-Henri de Boysson
Live long and prosper
- Harald Welte / email@example.com http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)